09-05-2019 01:01 AM - edited 02-21-2020 09:27 AM
i need to move a asa configuration into fmc but the problem is i cant figure out how to move the existing service policy and inspection rules into the new fmc? especially the inspection rules?
09-05-2019 02:44 AM
Unless you've customized the service-policies for a specific technical need, the FTD device will have default service policy rules just like ASA does.
If you need to customize the rules in FTD, here's how:
09-09-2019 12:21 AM
09-09-2019 02:46 AM
To modify the inspected protocols you need to use a Flexconfig.
Look under objects > Flexconfig > Flexconfig Objects. Specifically, Default_Protocol_Inspection_Enable and ...Disable objects.
You can modify those to suit your desired state (enabled of disabled) and then choose them for deployment to the selected devices under Devices > Flexconfig.
09-09-2019 03:01 AM
09-09-2019 04:57 AM
"$enableInspectProtocolList" is a Flexconnect text object:
Somewhere in 6.x Cisco added icmp to the list of default inspections so you don't need to do anything to add it if you're running a relatively recent Firepower version. Here's my list from a running-config on 6.4.0.4 (with no overriding entries in the Flexconfig list):
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error inspect sip
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: